Social Engineering

In Social Engineering, an attacker exploits the “human factor” as the supposed weakest link in the Information Security chain in order to accomplish his criminal intent [1]. Verizon’s 2021 Data Breach Investigations Report (DBIR) lists Social Engineering as #1 pattern in data breaches [2] and ENISA names it “the most prevalent attack technique” [3].

The following types of Social Engineering pose an immense risk to today’s organizations.

Phishing

Cyber criminals use phishing to obtain confidential data from unsuspecting users. This can involve, for example, credentials for e-mail accounts, corporate information, or credit card data. The attackers take advantage of their victim’s gullibility and willingness to help by sending them e-mails with fake sender addresses. In the e-mails, the victim is informed, for example, that his account information and access data (e.g., user name and password) are no longer secure or up to date and that he should change them using the link provided in the e-mail. However, the link then does not lead to the original page of the respective service provider, but to a website set up identically by the cyber criminals [4].

Vishing

Vishing is a form of Social Engineering that relies on phone calls and voice messages to deceive victims. This method tries to convince the victim to disclose sensitive information over the phone or redirects users to a website created by cyber criminals for the sole purpose of deceiving the target.

Tailgating

With tailgating, attackers follow an authorized person into a restricted area or system. Criminals, for example, dress as employees, carry heavy boxes, and convince a victim entering at the same time to open the door using the victim’s RFID batch [5].

Pretexting

With pretexting, a false justification for a specific course of action is placed by the attacker to gain trust and alter the behavior of the victim. For example, an attacker may claim to work for IT-support and request passwords for maintenance purposes [5]. This technique is often used in combination with other Social Engineering actions. Verizon states that in several data breaches of 2021 pretexting resulted in “the initiation of a Fraudulent transaction, causing money to go where it was not supposed to” [2].

Recommendation

Check if your organization is well prepared for this #1 Cybersecurity threat:

  • Are Cybersecurity awareness trainings regarding Social Engineering (e.g., test phishing mails) embedded in every employees daily work?
  • Are technical measures in place to
    • prevent phishing emails to be delivered?
    • enable reporting of phishing mails?
  • Are organizational measures in place to enable employees handling vishing attempts?
  • Are technical and organizational measures in place to prevent tailgating?

Need help mitigating the risk of Social Engineering for your organization? Contact us for more information.

Sources